Source: xfce4-panel-profiles Severity: normal Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: umask username X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org Several of the tarballs shipped in /usr/share/xfce4-panel-profiles/layouts/ embed the username, userid, groupname, groupid and umask of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/xfce4-panel-profiles.html /usr/share/xfce4-panel-profiles/layouts/Cupertino.tar.bz2 -rw-r--r--···0·pbuilder1··(1111)·pbuilder1··(1111)·····4925·2021-02-21·22:44:32.000000·config.txt vs. -rw-rw-r--···0·pbuilder2··(2222)·pbuilder2··(2222)·····4925·2021-02-21·22:44:32.000000·config.txt The attached patch fixes this by passing arguments to tar in Makefile.in.in to ensure consistent user, group, uid, gid and file permissions in the generated tarballs. I have not verified that these changes work correctly in the resulting packages, only that it builds reproducibly; please be sure to verify before uploading. With this patch applied, xfce4-panel-profiles should become reproducible on tests.reproducible-builds.org! Thanks for maintaining xfce4-panel-profiles! live well, vagrant
From 8cf9f8941c20e1527ac73829687c0ea5f2f4b608 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagrant@reproducible-builds.org> Date: Tue, 12 Apr 2022 01:28:32 +0000 Subject: [PATCH 1/3] Makefile.in.in: Pass arguments to tar to make build reproducible regardless of user or umask. https://reproducible-builds.org/docs/archives/ --- Makefile.in.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile.in.in b/Makefile.in.in index a34e177..180da38 100644 --- a/Makefile.in.in +++ b/Makefile.in.in @@ -31,6 +31,8 @@ pot: ifeq ($(shell tar --help|grep -o sort=),sort=) TAROPTS := --sort=name --format ustar + TAROPTS += --owner=0 --group=0 --numeric-owner + TAROPTS += --mode=u=wrX,og= endif layouts: cd data/layouts/cupertino; tar $(TAROPTS) -cvjf "../Cupertino.tar.bz2" * -- 2.30.2
Attachment:
signature.asc
Description: PGP signature